Table of content
Last Updated: 2023-12-12 ~ DPDP Consultants
Understanding India’s DPDPA 2023 and its Impact on Businesses
Data is the cornerstone of
modern business operations. With the increasing reliance on digital platforms
for various transactions and interactions, there was an urgent need to
establish a legislative framework to protect user’s data. India has finally taken
a significant step forward by introducing the Digital Personal Data Protection
Act (DPDPA) in 2023. This groundbreaking legislation is poised to reshape how
businesses handle personal data and safeguard user privacy. However, every new
law brings forth its unique set of challenges. With the initiation of the DPDP
Act 2023, businesses now face accountability not only for current user data but
also for the entirety of data collected since their inception. The chief
objective of the Digital Personal Data Protection Bill is to systematise a
durable framework for the protection and processing of personal data. The bill
covers data captured in digital form or physical form if the data is
subsequently digitised. The legislation affects all sectors, including education,
banking, insurance, healthcare, hospitality, e-commerce, retail, travel,
aviation, and telecom.
What is the DPDPA in
India?
On August 3, 2023, the
Ministry of Electronics & Information Technology (MeitY) introduced the
Digital Personal Data Protection Bill, 2023. The Parliament passed the bill on
August 7, 2023, and concertedly the Rajya Sabha on August 9, 2023. And on August
11, 2023, it was published in the Official Gazette after Presidential approval.
Here are the key features:
Coverage Under DPDPA
Any person or entity
processing personal data for any purpose other than personal or domestic or
having another party process the personal data will be covered under the DPDPA.
Mandatory Notice for
Consent: Transparency in Data Processing
A notice while obtaining
consent about the purpose and the processing is mandatory under the DPDP Act.
Data Principals’
Rights: Revisions, Deletion, and Transparent Use
Data Principals can
request revisions of inaccurate information stored and deletion of their
personal data if they terminate using services for which the data was
collected. Use and retention is to be per appropriate disclosures to the Data
Principal.
Explicit Consent for
Data Storage and Purpose
Data storage is to be in
effect only after explicit, defined consent and for use only for the purpose
for which the consent was sought and given.
Child Well-being
Protection: Restrictions on Data Fiduciaries
A Data Fiduciary shall not
undertake the processing of personal data that may cause detrimental effects on
the well-being of a child. In addition, it shall not track or monitor
children’s behaviour or target advertising directed at children.
Ensuring Data
Protection in International Transfers
The Act recommends that
international data transfers must have an adequate level of data protection in
the country benefiting from the data transfer. If adequate protection is
lacking, standard contractual clauses or approved mechanisms should be in place
to safeguard cross-border data flow.
Entities Governed by
The DPDP Act
1. Data Protection Board
The DPDP Bill is yet to establish a Data Protection Board as an enforcement
body of the Central Government.
2. Data Fiduciary A Data
Fiduciary is any person/entity defining the purpose and means of processing
personal data. Under the DPDP Act, a Data Fiduciary can process the data or via
any party processing personal data on behalf of it, defined as a Data Processor.
The Data Fiduciary is responsible for compliance under the DPDP Act.
3. Consent Manager The
Data Principal may give, manage, review, revise or withdraw consent via a
Consent Manager. The Consent Manager is accountable to the Data Principal and
must be registered with the Data Protection Board.
4. Data Principal
Individuals to whom the information pertains have the right to request access
to their personal data held by organisations under the DPDP Act 2023. They can
inquire about the data processing, the purpose, and the entities involved in data
handling.
Benefits Of the DPDP
Act for Data Principals
The DPDP Act, among other
things, provides the following rights to the Data Principal. Prior to the DPDP
Bill, there was no provision for Data Principals to recognise how their data
was used/misused. Today, if affected due to violations of the information
provided to businesses, visas, educational consultants, HR consultants,
employers, e-commerce, mar tech businesses, banks, healthcare, and such, the
Data Principal may have redressal measures under the DPDP Act.
- Right to access information about their
personal data.
- Right to correction, completion, updates and
erasure of personal data.
- Right of grievance redressal.
- Right to nominate. Right to withdraw consent.
Exemptions of Entities from
the DPDP Act
Presently, the only
exemption or entity protected by the DPDP Act is the government and its
entities. "The Digital
Personal Data Protection Bill, 2023, introduced in the parliament on August 3,
2023, gives the government broad powers to exempt any of its agencies from all
provisions of the Bill." Contextually, DPDP Consultants in India will be
sought after by businesses trying to understand the Act and its impact on their
business. Administrative Fines & Penalties for Non-Compliance Under the
DPDP Act
Administrative Fines &
Penalties for Non-Compliance Under the DPDP Act
|
1 |
Breach in observing the obligation of Data Fiduciary to take
reasonable security safeguards to prevent a personal data breach under
sub-section (5) of section 8 |
May extend to two hundred and fifty crore rupees. INR 250,000,000 . |
|
2 |
Breach in oBreach in observing the obligation to give the Board or
affected Data Principal notice of a personal data breach under sub-section
(6) of section 8 |
May extend to two hundred crore rupees. INR 200,000,000 |
|
3 |
Breach in observance of additional obligations concerning relation
to children under section 9 |
May extend to two hundred crore rupees. INR 200,000,000 |
|
4 |
Breach in observance of additional obligations of Significant Data
Fiduciary under section 10 |
May extend to one hundred and fifty crore rupees. INR 150,000,000 |
|
5 |
Breach in observance of the duties under section 15. |
May extend to ten thousand rupees. INR 10,000 |
|
6 |
Breach of any term of voluntary undertaking accepted by the Board
under section 32 |
Up to the extent applicable for the breach in respect of which the
proceedings under section 28 were instituted. |
|
7 |
Breach of any other provision of this Act or the rules made
thereunder |
May extend to fifty crore rupees. 50,000,000 |
Impact on Businesses
"The DPDP Act is the
latest legislation governing how businesses and organisations will process,
retain and protect the digital personal data of individuals. Each organisation
that collects and processes the digital personal data of any individual, including
its own employees, will be required to comply with these new regulations.
Compliance
Requirements: The DPDPA
likely imposes various compliance requirements on businesses, including the
implementation of data protection policies, the appointment of a Data
Protection Officer (DPO), conducting data protection impact assessments, and
adherence to certain data protection principles.
Data Localisation: The bill may have provisions regarding the
storage of personal data within India. This could impact businesses that rely
on global data storage and processing facilities.
Consent and
Transparency: The DPDPA may
require businesses to obtain explicit consent before collecting and processing
personal data. It may also mandate transparency in how businesses handle and
use personal information.
Data Subject Rights: The bill may grant individuals certain rights
over their personal data, such as the right to access, correct, and delete
their data. Businesses would need to establish mechanisms to facilitate the
exercise of these rights.
Data Breach
Notification: The DPDPA might
introduce requirements for businesses to promptly notify authorities and
affected individuals in the event of a data breach.
Impact on Tech
Companies: Technology
companies, especially those dealing with a significant amount of personal data,
may need to reassess their data processing practices and implement measures to
ensure compliance with the new regulations.
Cross-Border Data
Transfers: If the DPDPA
includes provisions on cross-border data transfers, businesses involved in such
transfers may need to adhere to specific requirements to ensure the lawful
transfer of personal data.
Penalties for
Non-Compliance: The bill may
introduce penalties for non-compliance, which could include fines and other
regulatory actions. Businesses need to consider these potential penalties when
developing their data protection strategies.
Conclusion
With an extensive new
digital law to be implemented in phases, many misses and missteps by
businesses, Data Fiduciaries, and Consent Managers can result in substantial
non-compliance penalties. Moreover, all financial penalties shall be credited
to the Consolidated Fund of India and not Data Principals. To sidestep
non-compliance penalties, DPDP consultants in India are the best help for
businesses trying to understand the Digital Personal Data Protection Bill
framework.
Looking
for expert advice from top consultants?
Whether you need guidance on legal compliance
consulting or tool-based technical solutions, DPDP
Consultants can help
you with the best professional services in the industry. Get tailored insights
and practical solutions to help you succeed.
For News updates, expert insights, and practical
tips on DPDP compliance and personal data security please subscribe to our
newsletter Privacy
Talks.
